netbsd-bugs: kern/25773: ipnat rdr rules not properly matched against ipf.conf rules; traffic not passed properly

Subject: kern/25773: ipnat rdr rules not properly matched against ipf.conf rules; traffic not passed properly
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <arto@selonen.org>
List: netbsd-bugs
Date: 06/01/2004 12:53:02
>Number:         25773
>Category:       kern
>Synopsis:       ipnat rdr rules not properly matched against ipf.conf rules; traffic not passed properly
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 01 12:54:01 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Arto Selonen
>Release:        NetBSD-current w/ sources from anoncvs fi-mirror ca. May 31st
>Organization:
>Environment:
NetBSD blah 2.0F NetBSD 2.0F (BLAH) #40: Tue Jun  1 11:57:37 EEST 2004  blah@blah:/obj/sys/arch/i386/compile/BLAH i386
>Description:
The following system (with 10.20/16 as some imaginary public net):

   10.20.30.40/28(fxp0)NETBSD-FWGW(fxp1)10.20.35.1/24

has the following ipnat.conf (IP addresses modified):

# ftp proxy
map fxp0 0/0 -> 10.20.30.40/32 proxy port ftp ftp/tcp
# transparent squid + internal web servers
rdr fxp1 10.20.35.80/32 port 80 -> 10.20.35.80 port 80 tcp
rdr fxp1 10.20.35.81/32 port 80 -> 10.20.35.81 port 80 tcp
rdr fxp1 0/0 port 80 -> 10.20.35.1 port 3128 tcp
# DNS redirect; we don't want to expose certain hosts to bad world
rdr fxp0 10.20.35.54/32 port 53 -> 10.20.35.53 port 53 tcp/udp
rdr fxp0 10.20.35.55/32 port 53 -> 10.20.35.53 port 53 tcp/udp

in other words, redirecting external DNS queries to internal hosts
.54 and .55 to internal host .53, using NAT RDR rules.

Similarly, there are rules in ipf.conf to allow DNS traffic to
internal hosts (partial set of rules):

# GROUP 10041: fxp0 inbound DNS traffic
pass in quick proto udp from any to 10.20.30.40 group 10041
pass in quick proto udp from any to 10.20.35.52 group 10041
pass in quick proto udp from any to 10.20.35.53 group 10041
pass in quick proto udp from any to 10.20.35.1  group 10041
pass in quick proto tcp from any to 10.20.30.40 flags S keep state group 10041
pass in quick proto tcp from any to 10.20.35.52 flags S keep state group 10041
pass in quick proto tcp from any to 10.20.35.53 flags S keep state group 10041
pass in quick proto tcp from any to 10.20.35.1  flags S keep state group 10041
# default block all
block in log quick all group 10041

So, the rule 10041:9 is default block all, with allow rules before it.
This is what ipmon logs show, when external queries are made to 10.20.35.54 or 10.20.35.55:

01/06/2004 13:09:25.849670 fxp0 @10041:9 b 10.20.25.53,32768 -> 10.20.35.53,53 PR udp len 20 82 IN
01/06/2004 13:09:34.869072 fxp0 @10041:9 b 10.20.25.53,32768 -> 10.20.35.53,53 PR udp len 20 82 IN NAT
01/06/2004 13:09:43.888424 fxp0 @10041:9 b 10.20.25.53,32768 -> 10.20.35.53,53 PR udp len 20 71 IN NAT

So, traffic does not match against the previous rules, even though it "obviously" should.

This problem appeared after OS upgrade on May 27th (using sources from anoncvs fi-mirror from ~May 26th). Previous upgrade was done on
~May 12th, and up until May 27th DNS traffic was getting through.

I also noticed kern/25769, before the upgrade today, but removing
hw checksums from fxp* ifconfig files did not help.

I also tried breaking up the rdr rules to separate tcp and udp
rules, but that didn't seem to have any effect.
>How-To-Repeat:
I don't have another box where I could test if this can be triggered simply by creating something like:

/etc/ipnat.conf
rdr if host1/32 port 53 -> host2 port 53 tcp/udp

and a corresponding /etc/ipf.conf rule(s) like:
pass in quick on if proto tcp/udp from any to host2/32 port = 53

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: